b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n            Information Technology Management \n\n            Letter for the FY 2009 Transportation \n\n              Security Administration Financial \n\n                        Integrated Audit \n\n\n\n\n\nOIG-10-82                                             April 2010\n\x0c                                                            Office of Inspector General\n\n                                                            U.S. Department of Homeland Security\n                                                            Washington, DC 25028\n\n\n\n\n                                         April 15, 2010\n\n\n                                             Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe department.\n\nThis report presents the information technology (IT) management letter for the FY 2009\nTransportation Security Administration (TSA) financial statement audit as of September 30,\n2009. It contains observations and recommendations related to information technology internal\ncontrol that were summarized in the Independent Auditors Report, dated March 17, 2010 and\npresents the separate restricted distribution report mentioned in that report. The independent\naccounting firm KPMG LLP (KPMG) performed the audit procedures at TSA in support of the\nDHS FY 2009 financial statements and prepared this IT management letter. KPMG is\nresponsible for the attached IT management letter dated April 2, 2009, and the conclusions\nexpressed in it. We do not express opinions on TSA\xe2\x80\x99s financial statements or internal control or\nconclusions on compliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office,\nand have been discussed in draft with those responsible for implementation. We trust that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                             Frank Deffer\n                                             Assistant Inspector General\n                                             Information Technology Audits\n\x0c                                   KPMG LLP\n                                   2001 M Street, NW\n                                   Washington, DC 20036\n\n\n\n\nApril 2, 2010\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer\nTransportation Security Administration\n\nChief Financial Officer\nTransportation Security Administration\n\nLadies and Gentlemen:\n\nWe have audited the consolidated balance sheet of the U.S. Department of Homeland Security (DHS),\nTransportation Security Administration (TSA) as of September 30, 2009. The objective of our audit was\nto express an opinion on the fair presentation of this consolidated balance sheet. In connection with our\nfiscal year 2009 audit, we also considered TSA\xe2\x80\x99s internal controls over financial reporting, and tested\nTSA\xe2\x80\x99s compliance with certain provisions of applicable laws, regulations, contracts, and grant agreements\nthat could have a direct and material effect on the consolidated balance sheet. To assist in planning and\nperforming the audit we performed an evaluation of information technology general controls (ITGC).\nThe Federal Information System Controls Audit Manual (FISCAM), issued by the Government\nAccountability Office (GAO), formed the basis of our ITGC evaluation procedures. The scope of the\nITGC evaluation is further described in Appendix A.\n\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent or detect and correct\nmisstatements on a timely basis. A significant deficiency is a deficiency, or a combination of\ndeficiencies, in internal control over financial reporting that is less severe than a material weakness, yet\nimportant enough to merit attention by those charged with governance. A material weakness is a\ndeficiency, or a combination of deficiencies, in internal control over financial reporting, such that there\nis a reasonable possibility that a material misstatement of the entity\xe2\x80\x99s financial statements will not be\nprevented, or detected and corrected on a timely basis.\n\nDuring our audit engagement, we noted certain matters in the areas of information technology (IT)\nconfiguration management, access controls and security management with respect to TSA\xe2\x80\x99s financial\nsystems IT general controls which we believe contribute to a DHS-level significant deficiency and that is\nconsidered a significant deficiency in IT controls and financial system functionality. These matters are\ndescribed in the IT General Control Findings by Audit Area section of this letter.\nThe significant deficiency described above is presented in our Independent Auditors\xe2\x80\x99 Report, dated\nMarch 17, 2010. This letter represents the separate restricted distribution report mentioned in that report.\n\n\n\n\n                                    KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                    member firm of KPMG International, a Swiss cooperative.\n\x0cThe significant deficiency and other comments described herein have been discussed with the appropriate\nmembers of management, or communicated through a Notice of Finding and Recommendation (NFR).\nWe aim to use our knowledge of DHS\xe2\x80\x99 organization gained during our audit engagement to make\ncomments and suggestions that we hope will be useful to you. We have not considered internal control\nsince the date of our Independent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. In addition, we have\nprovided: a description of key TSA financial systems and IT infrastructure within the scope of the FY\n2009 DHS financial statement audit engagement in Appendix A; a description of each internal control\nfinding in Appendix B; and the current status of the prior year NFRs in Appendix C. Our comments\nrelated to financial management and reporting internal controls have been presented in a separate letter to\nthe Office of Inspector General and the DHS Chief Financial Officer dated March 23, 2010. TSA\xe2\x80\x99s\nresponse to the findings identified is attached to this letter. We did not audit TSA\xe2\x80\x99s response, and\naccordingly, we express no opinion on it.\nThis report is intended solely for the information and use of DHS management, DHS Office of Inspector\nGeneral, OMB, U.S. Government Accountability Office, and the U.S. Congress, and is not intended to be\nand should not be used by anyone other than these specified parties.\n\n\nVery truly yours,\n\x0c                                   Department of Homeland Security \n\n                                Transportation Security Administration \n\n                               Information Technology Management Letter\n                                          September 30, 2009\n\n                  INFORMATION TECHNOLOGY MANAGEMENT LETTER \n\n\n                                        TABLE OF CONTENTS \n\n                                                                                                 Page\n \n\n\nObjective, Scope and Approach                                                                     1\n \n\n\nSummary of Findings and Recommendations                                                           2\n \n\n\nIT General Control and Financial System Functionality Findings by Audit Area                      3\n\n\n Findings Contributing to a Significant Deficiency in IT                                          3\n\n\n    Findings related to IT General Controls                                                       3\n\n\n       Configuration Management                                                                   3\n \n\n\n    Related to Financial System Functionality                                                     4\n\n\n Other Findings in IT General Controls                                                            5\n\n\n       Access Controls                                                                            5\n\n\n       Security Management                                                                        5\n\n\n Physical Security Testing                                                                        5\n\n\n Social Engineering Testing                                                                       6\n \n\n\nApplication Controls                                                                              8\n \n\n\nManagement\xe2\x80\x99s Comments and OIG Response                                                            8\n \n\n                                 APPENDICES\n \n\n\n    Appendix                                           \tSubject                                  Page\n\n\n                       Description of Key Financial Systems and IT Infrastructure within the \n\n        A\t                                                                                        9\n                       Scope of the FY 2009 TSA Financial Statement Audit at TSA \n\n\n\n        B              FY 2009 Notice of IT Findings and Recommendations at TSA                   11\n \n\n\n\n                           -    Notice of Findings and Recommendations \xe2\x80\x93 Definition of \n\n                                                                                                  12\n                                Severity Ratings\n                       Status of Prior Year Notices of Findings and Recommendations and\n        C\t \t           Comparison to Current Year Notices of Findings and Recommendations         17\n \n\n                       at TSA\n \n\n\x0c              Department of Homeland Security\n           Transportation Security Administration\n          Information Technology Management Letter\n                     September 30, 2009\n\n\n\nD   Management\xe2\x80\x99s Comments                            21\n\n\nE   Report Distribution                              22\n\x0c                                   Department of Homeland Security \n\n                                Transportation Security Administration \n\n                               Information Technology Management Letter\n                                          September 30, 2009\n\n\n\n                            OBJECTIVE, SCOPE AND APPROACH\n\nWe have audited the Transportation Security Administration\xe2\x80\x99s (TSA) consolidated balance sheet as of\nSeptember 30, 2009. In connection with our audit of TSA\xe2\x80\x99s consolidated balance sheet we performed an\nevaluation of information technology general controls (ITGC), to assist in planning and performing our\naudit. The U.S. Coast Guard\xe2\x80\x99s Finance Center (FINCEN) hosts key financial applications for TSA. As\nsuch, our audit procedures over information technology (IT) general controls for TSA included testing of\nthe Coast Guard\xe2\x80\x99s FINCEN policies, procedures, and practices, as well as TSA policies, procedures and\npractices at TSA Headquarters. The Federal Information System Controls Audit Manual (FISCAM),\nissued by the Government Accountability Office (GAO), formed the basis of our ITGC evaluation\nprocedures. The scope of the ITGC evaluation is further described in Appendix A.\n\nThe FISCAM was designed to inform financial auditors about IT controls and related audit concerns to\nassist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial audit. FISCAM also provides guidance to IT auditors when considering the scope and extent of\nreview that generally should be performed when evaluating general controls and the IT environment of a\nfederal agency. FISCAM defines the following five control functions to be essential to the effective\noperation of the general IT controls environment.\n\n\xef\xbf\xbd\t Security management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n   of computer-related security controls.\n\xef\xbf\xbd\t Access control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n   programs, equipment, and facilities) to protect against unauthorized modification, loss, and disclosure.\n\xef\xbf\xbd\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent the implementation of unauthorized\n   programs or modifications to existing programs.\n\xef\xbf\xbd\t Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to prevent one individual from controlling key aspects of computer-related operations, thus\n   deterring unauthorized actions or access to assets or records.\n\xef\xbf\xbd\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our general IT controls audit, we also performed technical security testing for key\nnetwork and system devices. The technical security testing was performed both over the Internet and\nfrom within select Coast Guard facilities, and focused on test, development, and production devices that\ndirectly support TSA\xe2\x80\x99s financial processing and key general support systems.\n\nApplication controls were not tested for the year ending September 30, 2009 due to the nature of prior-\nyear audit findings.\n\n\n\n\n                                                    1\n \n\n\n   Information Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                   Department of Homeland Security \n\n                                Transportation Security Administration \n\n                               Information Technology Management Letter\n                                          September 30, 2009\n\n\n\n                  SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring fiscal year (FY) 2009, TSA took corrective action to address prior year IT control deficiencies.\nFor example, TSA made improvements in providing IT security awareness training and developing\npolicies and procedures over their own configuration management monitoring controls. However, during\nFY 2009, we continued to identify IT general control deficiencies that impact TSA\xe2\x80\x99s financial data. The\nmost significant issues from a financial statement audit perspective related to controls over the\ndevelopment, implementation, and tracking of scripts at Coast Guard\xe2\x80\x99s FINCEN. Collectively, the IT\ncontrol deficiencies limited TSA\xe2\x80\x99s ability to ensure that critical financial and operational data were\nmaintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these\ndeficiencies negatively impacted the internal controls over TSA financial reporting and its operation and\nwe consider them to collectively represent a significant deficiency for TSA under standards established by\nthe American Institute of Certified Public Accountants (AICPA). In addition, based upon the results of\nour test work, we noted that TSA did not fully comply with the Department\xe2\x80\x99s requirements of the Federal\nFinancial Management Improvement Act (FFMIA).\nOf the 4 findings issued during our TSA FY 2009 testing, 2 were repeated findings and 2 were new IT\nfindings. These findings represent deficiencies in three of the five FISCAM key control areas.\nSpecifically the deficiencies were: 1) monitoring controls over the scripting process that are not fully\ndesigned and operating effectively, 2) unverified access controls through the lack of comprehensive user\naccess privilege re-certifications, and 3) security management issues involving the terminated employee\nprocess.\nIn addition, we determined that the following deficiencies identified at the Coast Guard IT environment\nalso impact TSA financial data: 1) inadequately designed and operating IT script change control policies\nand procedures, 2) unverified access controls through the lack of user access privilege re-certifications, 3)\nsecurity management issues involving civilian and contractor background investigations, 4) physical\nsecurity and security awareness issues, and 5) procedures for role-based training for individuals with\nelevated responsibilities not fully defined. We also considered the effects of financial systems\nfunctionality when testing internal controls since key Coast Guard financial systems that house TSA\nfinancial data are not compliant with FFMIA and are no longer supported by the original software\nprovider. Financial system functionality limitations add to the challenge of addressing systemic internal\ncontrol deficiencies, and strengthening the control environment at FINCEN.\nThese deficiencies may increase the risk that the confidentiality, integrity, and availability of system\ncontrols and TSA financial data could be exploited thereby compromising the integrity of financial data\nused by management and reported in TSA\xe2\x80\x99s financial statements.\nWhile the recommendations made by us should be considered by TSA, it is the ultimate responsibility of\nTSA management to determine the most appropriate method(s) for addressing the deficiencies identified\nbased on their system capabilities and available resources.\n\n\n\n\n                                                      2\n \n\n\n   Information Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                    Department of Homeland Security \n\n                                 Transportation Security Administration \n\n                                Information Technology Management Letter\n                                           September 30, 2009\n\n\n IT GENERAL CONTROL AND FINANCIAL SYSTEM FUNCTIONALITY FINDINGS \n\n                          BY AUDIT AREA\n\n\nFindings Contributing to a Significant Deficiency in IT at the TSA Level\n\nConditions: In FY 2009, the following IT general control and financial system functionality deficiencies\nwere identified at TSA and Coast Guard and contribute to a DHS-level significant deficiency that is\nconsidered a significant deficiency in IT general and application controls for TSA. Our findings are\ndivided into two groupings: 1) IT general controls and 2) Financial system functionality.\n\n\nRelated to IT General Controls\nIT General Controls: Configuration Management \xe2\x80\x93 we noted:\nCoast Guard\xe2\x80\x99s core financial system configuration management process controls are not operating\neffectively, and continue to present risks to TSA financial data confidentiality, integrity, and availability.\nFinancial data in the general ledger may be compromised by automated and manual changes that are not\nadequately controlled. For example, the Coast Guard uses an IT scripting process to make updates to its\ncore general ledger software as necessary to process financial data. However, the Coast Guard has not\nfully developed testing standards to guide staff in the development and functional testing of IT scripts,\ndocumented policies and procedures over testing plans that must be performed, and improve processes to\nensure that all necessary approvals are obtained prior to implementation. Specifically, we noted the\nfollowing Coast Guard design issues, operating effectiveness deficiencies, as well as TSA\xe2\x80\x99s own\nmonitoring deficiencies associated with the IT script control process:\n    \xef\xbf\xbd\t Coast Guard lacks a formal process to distinguish between the module lead approvers for script\n       approval requests.\n    \xef\xbf\xbd\t FINCEN analysts may run scripts without seeking further approval from the functional \n\n       supervisors for approved recurring scripts. \n\n    \xef\xbf\xbd\t Testing requirements are inconsistently followed for the testing of the recurring approval scripts\n       and retaining evidence of testing.\n    \xef\xbf\xbd\t No reconciliation between the scripts run and the changes made to the database tables is being\n       performed to monitor the script activities using this report as it is too difficult to accurately and\n       effectively reconcile the scripts to the audit log table changes.\n    \xef\xbf\xbd\t The Script Tracking System does not consistently include all testing, approval, and \n\n       implementation documentation for all scripts. \n\n    \xef\xbf\xbd\t Variations in the way the PRP approval forms are populated and completed exist for fields such\n       as financial impact, test strategy and baseline determinations.\n    \xef\xbf\xbd\t Proper approval is not consistently obtained and documented prior to the running of each script.\n\n\n\n\n                                                      3\n \n\n\n   Information Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                   Department of Homeland Security \n\n                                Transportation Security Administration \n\n                               Information Technology Management Letter\n                                          September 30, 2009\n\n\n\nRelated to financial system functionality:\nWe noted that financial system functionality limitations are contributing to control deficiencies and\ninhibiting progress on corrective actions for Coast Guard. These functionality limitations are preventing\nthe Coast Guard from improving the efficiency and reliability of its financial reporting processes. Some of\nthe financial system limitations lead to extensive manual and redundant procedures to process\ntransactions, verify accuracy of data, and to prepare financial statements. Systemic conditions related to\nfinancial system functionality include:\n    \xef\xbf\xbd\t As noted above, Coast Guard\xe2\x80\x99s core financial system configuration management process is not\n       operating effectively due to inadequate controls over IT scripts. The IT script process was\n       instituted as a solution primarily to compensate for system functionality and data quality issues;\n       and\n    \xef\xbf\xbd\t Annual financial system account recertifications are not being performed due to limitations in the\n       systems.\n\n\nRecommendations: Unless specifically noted where TSA needs to take specific corrective action, we\nrecommend that the TSA CFO and CIO work with the DHS Office of Chief Information Officer (OCIO)\nto ensure that the Coast Guard/FINCEN complete the following corrective actions:\n\n\n    \xef\xbf\xbd\t Continue to design, document, implement, and enforce the effectiveness of internal controls\n       associated with the active (current and future) scripts;\n\n    \xef\xbf\xbd\t Update / develop procedures and implement technical controls in the CAS and FPD databases to\n       ensure that the appropriate monitoring and review of script activities is performed and\n       documented;\n\n    \xef\xbf\xbd\t Continue to update script policies and procedures to include clear requirements and more detailed\n       guidance over requesting recurring scripts, testing and documentation requirements,\n       monitoring/audit log reviews, and blanket approval requirements. Additionally, ensure that the\n       policies and procedures include detailed guidance over the requirements for the testing of scripts\n       and associated test plans to ensure that the appropriate financial impact of the script is evaluated,\n       reviewed by the appropriate personnel, tested in an appropriate test environment prior to being\n       put into production, and documented prior to execution;\n\n    \xef\xbf\xbd\t Further develop and implement policies and procedures governing the script change control\n       process to ensure that all script records within the CMSS are accurate and complete; and\n\n    \xef\xbf\xbd\t Address the IT system aspects associated with the financial system functionality issues listed in\n       bullets No. 1 and No. 2 above, or develop compensating/mitigating controls in order to eliminate\n       or reduce the associated risk.\n\n\n\n\n                                                     4\n\n\n   Information Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                   Department of Homeland Security \n\n                                Transportation Security Administration \n\n                               Information Technology Management Letter\n                                          September 30, 2009\n\nTSA Specific Recommendation:\nWe recommend that the TSA CFO and CIO continue to develop and implement monitoring controls over\nthe FINCEN IT scripting process for the scripts that impact TSA. Additionally, the CFO and CIO should\nensure that the TSA policies and procedures include detailed guidance over the requirements for TSA\xe2\x80\x99s\nown monitoring and review of the scripts, including associated test plans to ensure that the appropriate\nTSA financial impact of the script is evaluated and reviewed by the appropriate personnel, tested in an\nappropriate environment prior to being put into production, and documented prior to execution.\nIn addition, we recommend that TSA CFO and CIO obtain the results of the study performed by an\noutside contractor in FY 2009 and determine if any findings and recommendations should be considered\nto strengthen internal controls.\n\n\nOther Findings in IT General Controls\nIn addition to the configuration management and financial system functionality issues mentioned above,\nthe following deficiencies were also identified during our TSA IT engagement:\n\n\nAccess controls \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t Access review procedures for key financial applications do not include the review of all user\n       accounts to ensure that all terminated individuals no longer have active accounts, inactive\n       accounts are locked, and privileges associated with each individual are still authorized and\n       necessary.\n\n\nSecurity management \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t The computer access agreement and exit clearance procedures for TSA employees have not been\n       consistently implemented; and\n    \xef\xbf\xbd\t During our after-hours physical security and social engineering testing we identified exceptions in\n       the protection of sensitive user account information. The tables below detail the exceptions\n       identified at the locations tested.\n\nPhysical Security Testing\n\n    We performed after-hours physical security testing to identify risks related to non-technical aspects of\n    IT security. These non-technical IT security aspects include physical access to media and equipment\n    that houses financial data and information residing on a TSA employee\xe2\x80\x99s / contractor\xe2\x80\x99s desk, which\n    could be used by others to gain unauthorized access to systems housing financial information. The\n    testing was performed at TSA Headquarters.\n\n\n\n\n                                                     5\n \n\n\n   Information Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                  Department of Homeland Security \n\n                               Transportation Security Administration \n\n                              Information Technology Management Letter\n                                         September 30, 2009\n\n\n\n\n                Exceptions Noted                              Total Exceptions at TSA\n                                                                    HQ by Type\n                Passwords                                                4\n                For Official Use Only (FOUO)                             0\n                Keys/Badges                                              0\n                Personally Identifiable Information (PII)                0\n                Server Names/IP Addresses                                0\n                Laptops                                                  0\n                External Drives                                          0\n                Credit Cards                                             0\n                Classified Documents                                     0\n                Other \xe2\x80\x93US government official passport                   0\n                Total Exceptions at TSA HQ                               4\n\nSocial Engineering Testing\nSocial engineering is defined as the act of attempting to manipulate or deceive individuals into taking\naction that is inconsistent with DHS policies, such as divulging sensitive information or allowing /\nenabling computer system access. The term typically applies to trickery or deception for the purpose of\ninformation gathering, or gaining computer system access.\n\n              Total Called Total Answered Number of people who provided a password\n              20           5              0 Passwords Provided\n\n\nRecommendations: We recommend that TSACFO and CIO take the following corrective actions:\n\n\nFor access controls:\n    \xef\xbf\xbd\t Update the quarterly review process to include procedures surrounding the recertification of\n       accounts with elevated privileges on the Unit Approved Plan. In addition, the recertification\n       process should be documented, include supervisor written approval and occur on an at least\n       annual basis.\nFor entity-wide security program planning and management:\n    \xef\xbf\xbd\t Implement the Employee Exit Clearance Procedures by completing, certifying, and maintaining\n       all forms required during the exit process for employees and contractors;\n    \xef\xbf\xbd\t Implement the IT Security Policy Handbook by verifying that all TSA employees and contractors\n       sign a computer access agreement prior to being granted system access;\n    \xef\xbf\xbd\t Review its policies and procedures regarding Protection of Sensitive Information and update\n       where required in order to address DHS and other Federal requirements, with emphasis being\n       placed on the potential impacts of not consistently and adequately protecting this sensitive\n       information; and\n\n\n                                                    6\n\n\n   Information Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                    Department of Homeland Security \n\n                                 Transportation Security Administration \n\n                                Information Technology Management Letter\n                                           September 30, 2009\n\n\n    \xef\xbf\xbd\t Review, and update as required, its security awareness / training content to address the updated\n       Protection of Sensitive Information policies and procedures.\n\nCause/Effect: Many of these deficiencies were inherited from the Coast Guard\xe2\x80\x99s lack of properly\ndesigned, detailed, and consistent guidance over financial system controls to enforce DHS Sensitive\nSystem Policy 4300A Directive and Handbook and NIST guidance. The lack of documented and\nimplemented security configuration management controls may result in security responsibilities\ncommunicated to system developers improperly as well as the improper implementation and monitoring\nof system changes by Coast Guard management. This also increases the risk of unsubstantiated changes\nas well as changes that may introduce errors or data integrity issues that are not easily traceable back to\nthe changes. In addition, it increases the risk of undocumented and unauthorized changes to critical or\nsensitive information and systems. This may reduce the reliability of information produced by these\nsystems. In addition, reasonable assurance should be provided that financial system user access levels are\nlimited and monitored by both TSA and Coast Guard management for appropriateness and that all user\naccounts belong to current employees. This is particularly essential for those user accounts that have\nbeen identified as having elevated privileges. This may also increase the risk that the confidentiality,\nintegrity, and availability of system controls and the financial data could be exploited thereby\ncompromising the integrity of financial data used by management and reported in the DHS financial\nstatements. In addition, without proper personnel security measures in place, such as background\ninvestigations, TSA financial data could be inappropriately manipulated by contract personnel whose\nintent is to create havoc or inappropriate financial gain.\n\nCriteria: The Federal Information Security Management Act (FISMA) passed as part of the Electronic\nGovernment Act of 2002, mandates that Federal entities maintain IT security programs in accordance with\nOMB and NIST guidance. OMB Circular No. A-130, Management of Federal Information Resources, and\nvarious NIST guidelines describe specific essential criteria for maintaining effective general IT controls. In\naddition, OMB Circular No. A-127 prescribes policies and standards for executive departments and agencies\nto follow in developing, operating, evaluating, and reporting on financial management systems. FFMIA sets\nforth legislation prescribing policies and standards for executive departments and agencies to follow in\ndeveloping, operating, evaluating, and reporting on financial management systems. The purpose of FFMIA\nis: (1) to provide for consistency of accounting by an agency from one fiscal year to the next, and uniform\naccounting standards throughout the Federal Government; (2) require Federal financial management systems\nto support full disclosure of Federal financial data, including the full costs of Federal programs and activities;\n(3) increase the accountability and credibility of federal financial management; (4) improve performance,\nproductivity and efficiency of Federal Government financial management; and (5) establish financial\nmanagement systems to support controlling the cost of Federal Government. In closing, for this year\xe2\x80\x99s IT\naudit we assessed the DHS component\xe2\x80\x99s compliance with DHS Sensitive System Policy Directive 4300A.\n\n\n\n\n                                                      7\n\n\n   Information Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                  Department of Homeland Security \n\n                               Transportation Security Administration \n\n                              Information Technology Management Letter\n                                         September 30, 2009\n\n\n\n\n                                APPLICATION CONTROLS\n\nApplication controls were not tested for the year ending September 30, 2009 due to the nature of the\ncurrent year\xe2\x80\x99s audit findings.\n\n             MANAGEMENT\xe2\x80\x99S COMMENTS AND OIG RESPONSE\nWe obtained written comments on a draft of this report from TSA\xe2\x80\x99s Chief Financial Officer. Generally,\nthe TSA management agreed with all of our findings and recommendations. TSA management has\ndeveloped a remediation plan to address these findings and recommendations. We have included a copy\nof the comments in Appendix D.\n\nOIG Response\nWe agree with the steps that TSA management is taking to satisfy these recommendations.\n\n\n\n\n                                                    8\n\n\n   Information Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                                                               Appendix A\n\n                             Department of Homeland Security \n\n                          Transportation Security Administration\n \n\n                         Information Technology Management Letter\n                                    September 30, 2009\n\n\n\n\n                                    Appendix A\n\nDescription of Key Financial Systems and IT Infrastructure within\n      the Scope of the FY 2009 TSA Integrated Audit at the\n             Transportation Security Administration\n\n\n\n\n                                            9\n \n\n\n Information Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                                                                        Appendix A\n\n                              Department of Homeland Security \n\n                           Transportation Security Administration\n \n\n                          Information Technology Management Letter\n                                     September 30, 2009\n\nBelow is a description of significant TSA financial management systems and supporting Information\nTechnology (IT) infrastructure included in the scope of the engagement to perform the financial\nstatement audit.\n\n\nLocations of Audit: TSA Headquarters in Washington, D.C. and the Coast Guard Finance Center\n(FINCEN) in Chesapeake, Virginia. TSA\xe2\x80\x99s financial applications are hosted on the Coast Guard\xe2\x80\x99s IT\nplatforms.\n\nKey Systems Subject to Audit:\n\xef\xbf\xbd\t Core Accounting System (CAS): Core accounting system that is the principal general ledger for\n   recording financial transactions for the Coast Guard. CAS is hosted at FINCEN, the Coast\n   Guard\xe2\x80\x99s primary data center. It is a customized version of Oracle Financials.\n\xef\xbf\xbd\t Financial Procurement Desktop (FPD): Used to create and post obligations to the core\n   accounting system. It allows users to enter funding, create purchase requests, issue procurement\n   documents, perform system administration responsibilities, and reconcile weekly program\n   element status reports. FPD is interconnected with the CAS system and is hosted at FINCEN.\n\xef\xbf\xbd\t Sunflower: Sunflower is a customized third party commercial off the shelf (COTS) product\n   hosted at FINCEN and used for TSA and Federal Air Marshals (FAMS) property management.\n   Sunflower interacts directly with the FA module in CAS. Additionally, Sunflower is\n   interconnected to the FPD system.\n\n\n\n\n                                               10\n \n\n\nInformation Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                                                                 Appendix B\n                            Department of Homeland Security \n\n                         Transportation Security Administration\n \n\n                        Information Technology Management Letter\n                                   September 30, 2009\n\n\n\n\n                                   Appendix B \n\n\n   FY2009 Notice of IT Findings and Recommendations at the \n\n           Transportation Security Administration\n \n\n\n\n\n\n                                           11\n \n\n\nInformation Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                                                                                     Appendix B\n                                      Department of Homeland Security \n\n                                   Transportation Security Administration\n \n\n                                  Information Technology Management Letter\n                                             September 30, 2009\n\n\nNotice of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the DHS\nConsolidated Independent Auditors Report.\n\n      1 \xe2\x80\x93 Not substantial\n\n      2 \xe2\x80\x93 Less significant \n\n      3 \xe2\x80\x93 More significant \n\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of severity for\nconsolidated reporting purposes.\n\nThese rating are provided only to assist the Transportation Security Administration in the development of its\ncorrective action plans for remediation of the deficiency.\n\n\n\n\n                                                       12\n\n      Information Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                                                                                                                   Appendix B\n                                                 Department of Homeland Security \n\n                                              Transportation Security Administration\n\n\n                                             Information Technology Management Letter\n                                                        September 30, 2009\n\n                                             Department of Homeland Security\n \n\n                                          Transportation Security Administration \n\n                                              FY2009 Information Technology \n\n                                     Notice of Findings and Recommendations \xe2\x80\x93 Detail \n\n\n                                                                                                                           New     Repeat    Risk\n NFR #                        Condition                                            Recommendation\n                                                                                                                           Issue    Issue   Rating**\nTSA-IT\xc2\xad   We were unable to obtain 6 of the 8 Employee Exit     \xef\xbf\xbd   Complete workgroup efforts to establish clear                     X         1\n09-20     Clearance Forms and 1 of the 3 Separating Non-            ownership and corrective action plans for the\n          Screener Employee and Contractor IT Certificates          conditions noted.\n          sampled.                                              \xef\xbf\xbd Complete and maintain all forms during the exit\n                                                                    process, as required by the Employee Exit\n                                                                    Clearance procedures for employees and\n                                                                    contractors.\n                                                                \xef\xbf\xbd Verify that a computer access agreement is\n                                                                    acknowledged by all TSA employees and\n                                                                    contractors, as required by the IT Security Policy\n                                                                    Handbook, and that evidence of this\n                                                                    acknowledgement is maintained.\nTSA-IT\xc2\xad   Deficiencies continued to exist over the script       Continue making improvements to implement and                        X          3\n09-23     configuration management process. Specifically,       better document an integrated script configuration\n          Deficiencies were noted in the areas of approvals,    management process that includes enforced\n          testing, monitoring, maintaining documentation, and   responsibilities of all participants in the process, and\n          audit logging.                                        the continued development of documentation\n                                                                requirements. We recommend that the Coast Guard\n              \xef\xbf\xbd   Coast Guard lacks a formal process to         should:\n                  distinguish between the module lead\n                  approvers for script approval requests.\n                                                                \xef\xbf\xbd    Continue to design, document, implement, and\n              \xef\xbf\xbd   Coast Guard Finance Center (FINCEN)                enforce the effectiveness of internal controls\n                  analysts may run scripts without seeking           associated with the active (current and future)\n                  further approval from the Functional               scripts.\n                  Supervisors for approved recurring scripts.\n                                                                With respect to procedures already in place, Coast\n              \xef\xbf\xbd   Testing requirements are inconsistently       Guard should:\n\n                                                                    13\n\n               Information Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                                                                                                                    Appendix B\n                                                Department of Homeland Security \n\n                                             Transportation Security Administration\n\n\n                                            Information Technology Management Letter\n                                                       September 30, 2009\n\n                                                                                                                            New     Repeat    Risk\nNFR #                        Condition                                             Recommendation\n                                                                                                                            Issue    Issue   Rating**\n                 followed for the testing of the Recurring\n                 Approval scripts and retaining evidence of     \xef\xbf\xbd    Update / Develop procedures and implement\n                 testing.                                            technical controls in the Core Accounting System\n            \xef\xbf\xbd    No reconciliation between the scripts run           (CAS) and Financial Procurement Desktop (FPD)\n                 and the changes made to the database tables         databases to ensure that the appropriate monitoring\n                                                                     and review of script activities is performed and\n                 is being performed to monitor the script\n                 activities using this report as it is too           documented.\n                 difficult to accurately and effectively\n                 reconcile the scripts to the audit log table   \xef\xbf\xbd    Continue to update script policies and procedures\n                 changes.                                            to include clear requirements and more detailed\n                                                                     guidance over requesting recurring scripts, testing\n            \xef\xbf\xbd    The Script Tracking System does not                 and documentation requirements, monitoring/audit\n                 consistently include all testing, approval,         log reviews, and blanket approval requirements.\n                 and implementation documentation for all            Additionally, ensure that the policies and\n                 scripts.                                            procedures include detailed guidance over the\n                                                                     requirements for the testing of scripts and\n            \xef\xbf\xbd    Variations in the way the Production\n                                                                     associated test plans to ensure that the appropriate\n                 Review Process (PRP) Approval Forms are\n                                                                     financial impact of the script is evaluated,\n                 populated and completed exist for fields\n                                                                     reviewed by the appropriate personnel, tested in an\n                 such as financial impact, test strategy and\n                                                                     appropriate test environment prior to being put into\n                 baseline determinations.\n                                                                     production, and documented prior to execution.\n            \xef\xbf\xbd    Proper approval is not consistently obtained\n                 and documented prior to the running of each    \xef\xbf\xbd    Further develop and implement policies and\n                 script.                                             procedures governing the script change control\n        In addition, we noted the following deficiencies             process to ensure that all script records within the\n        related to TSA monitoring controls over the Coast            Change Management Script System are accurate\n        Guard IT script process:                                     and complete.\n\n             \xef\xbf\xbd   TSA management receives a weekly script\n                 report as well as a Validation of Monthly\n                 Recurring Scripts from FINCEN.\n                 However, we were informed that TSA was\n                 still requesting modifications to the script\n\n                                                                    14\n\n             Information Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                                                                                              Appendix B\n                                               Department of Homeland Security \n\n                                            Transportation Security Administration\n\n\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                      New     Repeat    Risk\nNFR #                      Condition                                       Recommendation\n                                                                                                      Issue    Issue   Rating**\n                reports and had asked FINCEN to go back\n                into Change Management Script System\n                (CMSS) to populate missing information\n                so that further analysis could be conducted.\n                Additionally, during test work, we noted\n                that for eight PRP forms, the financial\n                impact determination did not match the\n                CMSS script record field.\n            \xef\xbf\xbd   TSA management is still in the process of\n                identifying the appropriate subject matter\n                experts in each area and have not\n                formalized the roles and responsibilities\n                surrounding this process.\n            \xef\xbf\xbd   TSA policies and procedures developed by\n                require that the TSA subject matter experts\n                utilize the financial impact guidance set\n                forth by FINCEN management in the PRP\n                Staff Instruction. However, upon\n                inspection of the PRP Instruction we\n                determined that this guidance does not\n                adequately include detailed criteria to\n                determine financial impact.\n            \xef\xbf\xbd    Once the financial impact is assessed and\n                approved by FINCEN for the parent\n                blanket approved recurring script, the\n                testing of the script is not subsequently\n                reviewed by an individual with financial\n                reporting knowledge for child scripts that\n                are run in production to ensure that\n                financial impact is correct before the script\n                is placed in production.\n        \xef\xbf\xbd       TSA is not asked to review and approve all\n                scripts with a financial impact \xe2\x80\x93 thus a\n\n\n                                                                15\n\n            Information Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                                                                                                                      Appendix B\n                                                 Department of Homeland Security \n\n                                              Transportation Security Administration\n \n\n                                             Information Technology Management Letter\n                                                        September 30, 2009\n\n                                                                                                                              New     Repeat    Risk\n NFR #                        Condition                                             Recommendation\n                                                                                                                              Issue    Issue   Rating**\n                    Coast Guard approver may approve a script\n                    that TSA is not in agreement with, or even\n                    aware of.\nTSA-IT\xc2\xad   During our after-hours physical security testing, we   Review security awareness programs designed to                X                   1\n09-28     identified 4 passwords located on employee             protect financial data to help ensure that individuals are\n          workstations.                                          adequately instructed and reminded of their roles in the\n                                                                 protection of both electronic and physical TSA\n                                                                 financial data and hardware that supports financial\n                                                                 data.\nTSA-IT\xc2\xad   Controls over the TSA quarterly access reviews for     Develop and effectively implement quarterly review            X                   1\n09-29     CAS and FPD user accounts have not been                policies and procedures that include follow-up\n          effectively implemented to ensure that TSA users       measures that will be enforced to ensure that users\n          who no longer require system access are removed in     identified through these reviews are maintaining\n          a timely manner.                                       unnecessary access have their accounts end dated in a\n                                                                 timely manner.\n\n\n\n\n                                                                   16\n\n               Information Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                                                                Appendix C\n                          Department of Homeland Security\n \n\n                        Transportation Security Administration\n \n\n                   Information Technology Management Letter\n                                  September 30, 2009\n\n\n\n\n                                    Appendix C \n\n\nStatus of Prior Year Notices of Findings and Recommendations And \n\n                          Comparison To \n\n     Current Year Notices of Findings and Recommendations \n\n\n\n\n\n                                           17\n \n\n\n Information Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                                                                                       Appendix C\n                                  Department of Homeland Security\n                                Transportation Security Administration\n                           Information Technology Management Letter\n                                          September 30, 2009\n\n\n\n                                                                                                  Disposition\nNFR No.         Description                                                                 Closed         Repeat\n\n TSA-IT-08-01    The Coast Guard Finance Center (FINCEN) Continuity of                        X\n                 Operations Plan (COOP) has not been updated to reflect the results\n                 of testing the COOP, and the Business Continuity Plans for each\n                 division have not been finalized.\n TSA-IT-08-03    During the first half of the fiscal year, the contract with the Core         X\n                 Accounting System (CAS) and Financial Procurement Desktop\n                 (FPD) software vendor was still in place, and no corrective action\n                 had taken place related to the prior year recommendation.\n                 Therefore, the risk exists that the condition was present for the\n                 majority of the fiscal year. However, due to the Coast Guard\n                 decision to terminate the contract with their software vendor and the\n                 Coast Guard Headquarters decision to suspend all Software Problem\n                 Reports (SPRs) and Software Change Requests (SCRs), the\n                 condition did not exist beyond the date of these 2 events.\n TSA-IT-08-05    Coast Guard Headquarters has developed but not yet implemented               X\n                 policies and procedures to require that a favorably adjudicated\n                 background investigation be completed for all contractor personnel.\n                 (1)\n TSA-IT-08-06    Coast Guard headquarters has not finalized the Role-Based Training           X\n                 for Coast Guard Information Assurance Professionals Commandant\n                 Instruction, which will require all Coast Guard members, employees,\n                 and contractors with significant IT security responsibilities to receive\n                 initial specialized training and annual refresher training thereafter.\n                 The online Training Management Tool, which will track compliance,\n                 will not be implemented until the Role-Based Training is\n                 implemented. (1)\n TSA-IT-08-13    FINCEN has not completed the risk assessment for the CAS Suite,              X\n                 and the CAS System Security Plan (SSP) is still in draft form.\n TSA-IT-08-15    Of the 669 employees/contractors with current access to the                  X\n                 following TSA\xe2\x80\x99s financial applications: CAS, FPD, and Sunflower;\n                 152 employees/contractors have not completed the IT Security\n                 Awareness Training.\n TSA-IT-08-18    Configuration management deficiencies continue to exist on hosts             X\n                 supporting the CAS, FPD and WINS applications and the underlying\n                 General Support Systems (GSS).\n\n                  Note: Due to the nature of this testing, see the tables in the NFR\n                  for the specific conditions.\n\n TSA-IT-08-19    Security patch management deficiencies continue to exist on hosts            X\n                 supporting the CAS, FPD and WINS applications and GSS.\n\n                  Note: Due to the nature of this testing, see the tables in the NFR\n\n\n                                                          18\n\n      Information Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                                                                                      Appendix C\n                                  Department of Homeland Security\n                                Transportation Security Administration\n                           Information Technology Management Letter\n                                          September 30, 2009\n\n\n                                                                                                 Disposition\nNFR No.         Description                                                                Closed         Repeat\n\n                  for the specific conditions.\n\n TSA-IT-08-20    We were unable to obtain 21 1163 Forms and 27 1402 Forms for                              09-20\n                 each sample of 40. Additionally, 2 of the 13 1402 Forms received\n                 were signed after the forms were requested for audit.\n\n                 The IT Security Policy Handbook requires all TSA personnel\n                 including contractors to review and sign the TSA Form 1403:\n                 Computer Access Agreement. However, we were unable to obtain 7\n                 of the 25, 1403: Computer Access Agreements sampled. Of the 18\n                 forms we obtained, 5 were dated after the sample was requested for\n                 audit.\n TSA-IT-08-21    The change control policy has not been fully completed and                  X\n                 implemented. The United States Coast Guard (CG) is responsible\n                 for making software changes to the CAS, FPD and Sunflower\n                 applications, however, on March 31, 2008, CG HQ terminated its\n                 contract with the software vendor/developer for CAS, FPD and\n                 Sunflower, which has hindered TSA\xe2\x80\x99s ability to fully complete and\n                 implement the CAS, FPD and Sunflower change control policy.\n TSA-IT-08-22    We noted that control deficiencies still exist within the design of         X\n                 FINCEN\xe2\x80\x99s Configuration Management policies and procedures for\n                 CAS and FPD, as well as the operating effectiveness of those\n                 controls. Our test work over the design of the change controls\n                 covered both periods of the change control environment; however,\n                 our testing of operating effectiveness covered only the period of start\n                 of the fiscal year through March 2008, since no changes were made\n                 to CAS and FPD from April through the remainder of the fiscal year.\n TSA-IT-08-23    Coast Guard\xe2\x80\x99s controls over the scripting process remain ineffective.                     09-23\n                 Deficiencies were noted in controls over script implementation,\n                 approvals and testing, as well as active script modification. In\n                 addition, Coast Guard has not maintained or developed a population\n                 of scripts run since the inception of CAS in 2003 nor has it\n                 performed a historical analysis of script impact on the cumulative\n                 balances in permanent accounts of the financial statements.\n                 Specifically:\n                   \xef\xbf\xbd Coast Guard lacks a formal process to distinguish between the\n                     module lead approvers for script approval requests;\n                   \xef\xbf\xbd The Procedures for Data Scripts do not specifically state the\n                     testing and documentation requirements for blanket approval\n                     scripts and this policy remains in draft form;\n                   \xef\xbf\xbd Coast Guard does not monitor scripts run in the database\n                     through audit logging and has not developed a technical\n                     solution to monitor who accesses the database through SQL\n\n\n                                                         19\n\n      Information Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                                                                                    Appendix C\n                                  Department of Homeland Security\n                                Transportation Security Administration\n                           Information Technology Management Letter\n                                          September 30, 2009\n\n\n                                                                                               Disposition\nNFR No.         Description                                                              Closed         Repeat\n\n                     Navigator to run scripts or review what scripts are run;\n                   \xef\xbf\xbd The Script Tracking System does not consistently include all\n                     testing, approval, and implementation documentation for all\n                     scripts; and\n                   \xef\xbf\xbd Coast Guard has not completed PRP documentation for all\n                     scripts executed since their implementation.\n                 Additionally, although Coast Guard did conduct an examination with\n                 an external contractor organization, we have determined that the\n                 analysis was incomplete. Specifically, due to the many limitations\n                 over scope, it did not consider the full population of scripts run at\n                 FINCEN currently or since the inception of CAS. Furthermore, the\n                 analysis did not properly evaluate scripts as to financial statement\n                 impact, including current versus prior year effect.\n TSA-IT-08-24    Although Coast Guard Headquarters is in the process of completing         X\n                 background investigations for all civilian employees, this has not\n                 been completed. Additionally, Coast Guard has set its position\n                 sensitivity designations to Low for the majority of its employees.\n                 However, DHS requires position sensitivity designations no less than\n                 Moderate which equates to a Minimum Background Investigation\n                 (MBI). Therefore, we determined that the conditions noted in prior\n                 year have not been remediated. (1)\n\n\n\n     (1): The TSA NFRs listed as closed were based upon exceptions identified at Coast Guard\n     from previous years. These NFRs were not closed due to Coast Guard remediating the\n     exceptions during the year, but instead it was determined that they would be closed from a\n     NFR delivery perspective.\n\n\n\n\n                                                        20\n \n\n\n      Information Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                                                                                               Appendix D\n                               Department of Homeland Security \n\n                             Transportation Security Administration \n\n                        Information Technology Management Letter\n                                       September 30, 2009\n\n\n\n\n                                                                      u.s. noparlmon\' orl/om.lan,l Se<urby\n\n                                                                      Off. .. 0/ Fj",,1tCO and Adm/niJlmJio"\n                                                                      601 S<>uIJl It" Strc<:t. TSA_14\n                                                                      Arling.on. VA 20~98.(;()\'4\n\n                                                                      Transportation\n                                                                      Security\n                                                                      Administration\n\n\n     Frank DeITer\n     Assistant Inspector General, Information Technology Audits\n     Department of Homeland Security\n     Officc of Inspcctor General\n     245 Murray Lane, SW\n     Building 4 IO\n     Washington, DC 20528\n\n\n     Dear Mr. DefTer:\n\n        Thank you for the opportunity to comment on the Draft Report: Information Technology\n     Managemenr Leiterfor the FY 2009 Transporration Security Administration (fSA) Financial\n     Integrated Audit. TSA appreciated your recommendations included in your report and we look\n     forward to working with your team during the upcoming FY 2010 audit.\n\n\n                                        Sincerely.\n\n\n\n                                          VI        lcholson\n                                        Assistant Administrator and Chief Financial Officer\n                                        Office of Finance and AdminiMration.\n\n\n\n\n     Filt: lOoo.2.I_a                                                               "-w.... I.a.gov\n\n\n\n\n                                                     21\n \n\n\nInformation Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0c                                                                               Appendix E\n                         Department of Homeland Security\n \n\n                       Transportation Security Administration\n \n\n                  Information Technology Management Letter\n                                 September 30, 2009\n\n\n                Report Distribution\n\n                Department of Homeland Security\n\n                Secretary\n                Deputy Secretary\n                General Counsel\n                Chief of Staff\n                Deputy Chief of Staff\n                Executive Secretariat\n                Under Secretary, Management\n                Administrator, TSA\n                DHS Chief Information Officer\n                DHS Chief Financial Officer\n                Chief Financial Officer, TSA\n                Chief Information Officer, TSA\n                Chief Information Security Officer\n                Assistant Secretary, Policy\n                Assistant Secretary for Public Affairs\n                Assistant Secretary for Legislative Affairs\n                DHS GAO OIG Audit Liaison\n                Chief Information Officer, Audit Liaison\n                TSA Audit Liaison\n\n                Office of Management and Budget\n\n                Chief, Homeland Security Branch\n                DHS OIG Budget Examiner\n\n                Congress\n\n                Congressional Oversight and Appropriations Committees as Appropriate\n\n\n\n\n                                           22\n \n\n\nInformation Technology Management Letter for the FY 2009 TSA Financial Integrated Audit\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'